Danger in the Digital Fog: Netflix and PayPal Users Targeted by ‘Matrix Push’ Phishing Platform

It has been a concerning few weeks in the world of cybersecurity, highlighted by sophisticated threats that are often ‘not what they seem’. First, there were warnings about stealthy copy-and-paste attacks leveraging the clipboard as a vector, and then came news of the Sturnus Android banking trojan, designed to read secure instant message conversations after they have been decrypted on a smartphone’s screen.

Now, a new, highly professionalised threat has emerged: the Matrix Push C2 platform. This cybercrime service is employing compromised and highly disguised web browser notifications to fool users of high-profile services, including Netflix, PayPal, MetaMask, Cloudflare, and TikTok, into giving up their login credentials.

What is Matrix Push and Why is it so Effective?

A new threat report issued by BlackFog security confirms that Matrix Push is a command-and-control (C2) platform used by criminals to deliver phishing attacks and malware by exploiting standard web browser functionality.

The attack is rooted in social engineering. Victims are initially tricked into agreeing to accept browser notifications on a malicious, or sometimes legitimate but compromised, website. Once permission is granted, the platform takes over. It sends carefully crafted, deceptive alerts that appear in the device’s genuine notification area, mimicking official warnings from the operating system or services like Netflix and PayPal.

Because this tactic leverages browser-native features, it is described by BlackFog as a “fileless” and cross-platform threat, making it dangerous regardless of whether you are using a Windows PC, a Mac, or a mobile phone.

If a notification appears legitimate and sits in your device's genuine alert area, how can you tell if it is a genuine security warning or a clever phishing ploy?

The Professionalisation of Cybercrime

The discovery of Matrix Push C2 underscores the worrying trend of professionalisation within cybercrime. Reports indicate the platform is operated as a Malware-as-a-Service (MaaS) kit, complete with a web-based dashboard and analytics, sold on cybercrime forums and Telegram. Threat actors can purchase tiered subscriptions costing up to approximately £1,200 ($1,500) for a full year, giving them access to brand templates and real-time tracking of their victims.

This rise in MaaS platforms, coupled with highly advanced malware like Sturnus—which Dutch security firm ThreatFabric notes bypasses end-to-end encryption simply by reading message content after it appears on the screen—shows that attackers are leveraging every possible loophole to access sensitive data.

The common thread running through all these modern attacks is the abuse of trusted digital components, whether it be browser notifications or application accessibility features. For users, the key takeaway is that vigilance must now extend beyond just email security. Never click a link within an unexpected notification, no matter how official the logo looks, and be highly selective about which websites you grant permission to send you alerts.

As cybercriminals increasingly professionalise their tools using MaaS models, what is the single most important action everyday users can take to protect their accounts?